Thanks Kyle. So basically I can just use Configure for building FIPS capable OpenSSL library, as long as I pass the right parameters to it right? Also if I use Configure, do I need to explicitly turn off the non-FIPS approved algorithms, like passing "no-rc4" as a parameter to the Configure command? I understand it's not necessary do that if I use config script. Thanks, Rich On Wed, Feb 10, 2016 at 12:57 PM, Kyle Hamilton <aerowolf at gmail.com> wrote: > ./config autodetects the platform and such, passing various parameters to > Configure. So, after you've built the canister, you can do as you want. > > So, to do this, figure out from ./config what parameters it passes to > Configure in the presence of the 'fips' argument, then modify the command > line the packaging script invokes accordingly. > > -Kyle H > > > On 2/10/2016 12:47 PM, cloud force wrote: > > Thanks Kyle. > > Yes, for building FIPS canister I did exactly the same thing as it > mentioned in the security policy doc. > > My questions above were mainly regarding building the OpenSSL library > itself with the fipscanister.o modules. > > In the doc it said we should just do "*config fips*", and since the > Ubuntu OpenSSL packaging script does not run *config* script and it run > *Configure* script instead, I was wondering should I still run "./config > tips" before run the Configure script, or should I just run "Configure > fips" instead? > > Thanks, > Rich > > On Wed, Feb 10, 2016 at 12:37 PM, Kyle Hamilton <aerowolf at gmail.com> > wrote: > >> My understanding is, you must follow the steps given in the Security >> Guide *exactly*, with no deviation, in order to produce a validated binary >> of the FIPS canister. In other words, you *must not* try to use Configure >> when attempting to build the FIPS canister because it does not match the >> steps given in the Security Guide. >> >> Once you have the FIPS canister, you can build a version of OpenSSL that >> uses it pretty much indiscriminately (as long as you ensure that all the >> things that fipsld does actually happen when it comes time to link). >> >> (I apologize if my knowledge is out of date, I haven't been following the >> FIPS development for a couple of years.) >> >> -Kyle H >> >> >> On 2/10/2016 12:23 PM, cloud force wrote: >> >> Hi Everyone, >> >> I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04 package. >> >> From the OpenSSL doc it mentioned we need to do ./config fips in order to >> build openssl under tips mode. I tried that and it worked well. >> >> Now I am building the OpenSSL FIPS as a Ubuntu package. I noticed the >> package manager meta script use the Configure (instead of config script) >> under the openssl source folder. >> >> I was wondering should I also do "Configure fips", if I use the Configure >> script to configure the source tree? What's the relationship between config >> and Configure scripts? >> >> Or should I just run ./config fips first and then let the package manager >> script to run Configure? >> >> Thanks. >> Rich >> >> >> >> >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> >> > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160210/7565a46e/attachment-0001.html>
